b'March 26, 2002\n\nCHARLES E. BRAVO\nSENIOR VICE PRESIDENT, CHIEF TECHNOLOGY OFFICER\n\nROBERT L. OTTO\nVICE PRESIDENT. INFORMATION TECHNOLOGY\n\nSUBJECT:     Audit Repori - Facilities Database Application Development Review\n             (Report Number EM-AR-02-003)\n\nThis repori presents the results of our audit of the Facilities Database Application\nDevelopment (Project Number 01BS009IS003). This audit was a self-initiated review\nthat was included in our fiscal year 2002 Audit Workload Plan.\n\nThe audit did not reveal any high-level requirements definition or security deficiencies.\nHowever, we found for the concept solution and program definition process point,\nprogram management did not always follow an established systems development life\ncycle methodology, and did not produce a key deliverable. As a result, the Postal\nService assumed a risk that the proposed solution for the Facilities Database will not\nmeet the established business needs. Additionally, the Postal Service has no\nassurance the benefits of the Facilities Database effort will outweigh the costs of\ndeveloping a new system or the detriments of remaining with the existing systems which\ndo not completely meet the needs of the Postal Service. Management agreed to our\nrecommendations and has planned corrective actions addressing the issues identified in\nthis report. Management\'s comments and our evaluation of these comments are\nincluded in this report.\n\nWe appreciate the cooperation and couilesres provided by your staff during the review.\nIf you have any questions or need additional information, please contact Robert Batta,\ndirector. Electronic Commerce and Marketing, at (703) 248-2100, or me at\n(703) 248-2300.\n\n\n\nRonald D, Merryman\nActing Assistant Inspector General\n for eBusiness\n\nAttachment\n\x0ccc: James W. Buie\n    Wayne H. Orbke\n    James L. Golden\n    Susan M. Duchek\n\x0cFacilities Database Application                           EM-AR-02-003\n Development Review\n\n\n\n                                  T A B L E OF CONTENTS\n Executive Summary                                              i\n\n Parti\n\n Introduction                                                  1\n\n     Background                                                1\n     Objective, Scope, and Methodology                         2\n     Prior Audit Coverage                                      2\n\n Part II\n\n Audit Results                                                 4\n\n    Systems Development Life Cycle Methodology                 4\n                                                               4\n                                                               5\n                                                               5\n                                                               5\n         Independent Quality Assurance Representative          5\n         Recommendation                                        6\n         Management\'s Comments                                 6\n         Evaluation of Management\'s Comments                   6\n\n    Key Deliverable                                            7\n    Recommendation                                             8\n    Management\'s Comments                                      8\n    Evaluation of Management\'s Comments                        8\n\n Appendix A. Glossary                                          9\n\n Appendix B. Management\'s Comments                            10\n\x0cFacilities Database Application                                                                    EM-AR-02-003\n Development Review\n\n\n                                      EXECUTIVE SUMMARY\n\n Introduction                     There are five major stages in the systems development life\n                                  cycle. Each stage has several process points that need to\n                                  be accomplished to develop a successful project. This\n                                  report presents the results of our self-initiated audit of the\n                                  concept solution and program definition, as well as the high-\n                                  level requirements definition process points of the Facilities\n                                  Database application. This is the third report in a series of\n                                  Office of Inspector General (OIG) reviews of Postal Service\n                                  initiatives in the early phases of development. By early\n                                  involvement in the process, the OIG can make\n                                  recommendations to resolve issues in the initial stages of\n                                  development prior to system implementation. Studies\n                                  indicated that it is up to 100 times more costly to make\n                                  changes after a system is placed into production.\n\n                                   Our objective was to determine if Postal Service\n                                   management: (1) followed sound systems development life\n                                   cycle processes; (2) produced key deliverables; and\n                                   (3) included key security features during systems\n                                   development.\n\n  Results in Brief                 Our review of the Facilities Database did not reveal any\n                                   high-level requirements definition or security deficiencies.\n                                   However, we found for the concept solution and program\n                                   definition process point, program management did not\n                                   always follow an established systems development life\n                                   cycle^ methodology, and did not produce a key deliverable.\n                                   This occurred because program management did not\n                                   always understand and follow existing Postal Service\n                                   policies, procedures, and guidelines.\n\n                                   As a result, the Postal Service assumed a risk that the\n                                   proposed solution for the Facilities Database will not meet\n                                   the established business needs. Additionally, the Postal\n                                   Service has no assurance the benefits of the Facilities\n                                   Database effort will outweigh the costs of developing a new\n                                   system or the detriments of remaining with the existing\n\n\n\n\n ^ A systems development life cycle is a logical process by which systems analysts, software engineers, programmers,\n and end users build information systems and computer applic:atJons to solve business problems and needs.\n\x0cFacilities Database Application                                                   EM-AR-02-003\n Development Review\n\n\n\n                                  systems which do not completely meet the needs of the\n                                  Postal Service,\n\n Summary of                       We determined that the Facilities Database development\n Recommendations                  effort should remain in the concept phase until the\n                                  corrective actions are taken. Specifically, we recommended\n                                  management conduct a feasibility study and cost benefit\n                                  analysis. Additionally, we recommended management\n                                  ensure that independent software quality assurance\n                                  functions are performed throughout the Facilities Database\n                                  project.\n\n Summary of                       Management agreed with our findings and\n Management\'s                     recommendations. Corrective actions are under way to\n Comments                         resolve the remaining items in fiscal year 2002.\n                                  Management\'s comments, in their entirety, are included in\n                                  Appendix B of this report.\n\n Overall Evaluation of            Management\'s comments are responsive to our findings\n Management\'s                     and recommendations. We agree with the planned\n Comments                         corrective action for each recommendation.\n\x0cFacilities Database Application                                                                EM-AR-02-003\n Development Review\n\n\n                                     INTRODUCTION\n\n Background                       The Facilities Database will provide a single, integrated\n                                  database that contains accurate and up-to-date information\n                                  on all Postal Service facilities. The Facilities Database is\n                                  needed: (1) internally to provide accurate and consistent\n                                  information to the customer, and (2) externally to be used by\n                                  our major mailers and future Internet customers to improve\n                                  ease of doing business with the Postal Service.\n\n                                  Currently, the Postal Service has numerous stand-alone\n                                  databases that contain information and demographics about\n                                  facilities and the services provided. Most of these\n                                  databases have been built along functional lines and are of\n                                  minimal use to other functions within the Postal Service.\n                                  These databases have usually been populated via hard\n                                  copy surveys and are poorly maintained, if at all. The\n                                  Facilities Database will not replace the existing stand-alone\n                                  databases, but will serve as a centralized repository for core\n                                  facility related information.\n\n                                  Our review of the Facilities Database occurred at the end of\n                                  the systems development life cycle concept phase, where it\n                                  was undergoing concept solution, program definition, and\n                                  high-level requirements definition.\n\n                                                 Process Points Re\\iewed In Relation\n                                            to Ihe Systems Development Life Cycle Phases\n\n                                           CoMC\xc2\xbbpl   H aiming   D\xc2\xabiii;ii   Iinp[\xc2\xbbm\xc2\xabnl\xc2\xabtiou M\xc2\xbbim\xc2\xbbu\xc2\xabii\'\'\xc2\xab\n\n\n\n\n                                  The concept phase covers the identification of a need for\n                                  the system, validation of the need, and exploration of\n                                  alternative functional concepts to satisfy the need. The\n                                  requirements definition phase usually covers functional\n\x0cFacilities Database Application                                                      EM-AR-02-003\n Development Review\n\n\n                                  requirements identification and detailed planning for the\n                                  development including preparing the project plan. Technical\n                                  terms used in this report are described in Appendix A.\n\n Objective, Scope, and            The objective of this audit was to evaluate the Postal\n Methodology                      Service\'s Facilities Database development effort in the final\n                                  stages of the concept phase in the systems development\n                                  life cycle. We reviewed concept solution, program\n                                  definition, and high-level requirements definition process\n                                  points of the Facilities Database development effort.\n                                  Specifically, for these processes we determined if Postal\n                                  Service management: (1) followed sound systems\n                                  development life cycle processes; (2) produced key\n                                  deliverables; and (3) included key security features during\n                                  systems development.\n\n                                  Specifically, to accomplish our objective, we reviewed the\n                                  business needs statement, assessment report, project plan,\n                                  high-level functional requirements, and contract documents.\n                                  We interviewed key project management personnel,\n                                  including the program manager, program owner, information\n                                  system security officer, and end-users to determine their\n                                  involvement in the development effort.\n\n                                  We conducted audit fieldwork at Postal Service\n                                  Headquarters, the National Customer Support Center in\n                                  Memphis, Tennessee, and the Processing and Distribution\n                                  Center, in Merrifield, Virginia, from September through\n                                  October 2001. In addition, we also reviewed applicable\n                                  laws and regulations, as well as information systems\n                                  industry standards and best practices. This audit was\n                                  conducted from September 2001 through March 2002 in\n                                  accordance with generally accepted government auditing\n                                  standards and included such tests of internal controls as\n                                  were considered necessary under the circumstances. We\n                                  did not rely on computer-generated data to accomplish our\n                                  objectives. We discussed our conclusions and observations\n                                  with appropriate management officials and included their\n                                  comments, where appropriate.\n\n\n Prior Audit Coverage             Our September 29, 2000, report, State of Computer\n                                  Security in the Postal Service (Report Number IS-AR-00-\n                                  004) cited that: (1) many Postal Service managers were not\n                                  fully aware of their responsibilities for computer security;\n                                  and many Postal Service officials viewed computer security\n\x0cFacilities Database Application                                                     EM-AR-02-003\n Development Review\n\n\n\n                                  as the sole responsibility of the information technology\n                                  office; (2) a lack of security awareness has resulted in less\n                                  than sufficient emphasis placed on planning and budgeting\n                                  for computer security; (3) policies and procedures for\n                                  computer security were nonexistent, outdated, or oftentimes\n                                  not implemented or followed; and (4) the National\n                                  Information Systems Security organization did not have\n                                  computer security enforcement authority, and was\n                                  understaffed, underfunded, and not visible postal-wide.\n                                  Management agreed with our recommendations and\n                                  indicated they are working to address the issues.\n\x0cFacilities Database Application                                                     EM-AR-02-003\n Development Review\n\n\n                                     AUDIT RESULTS\n Systems                          We found that Facilities Database program management did\n Development Life                 not always follow the established systems development life\n Cycle Methodology                cycle methodology during concept solution and program\n                                  definition of the Facilities Database. Specifically, program\n                                  management did not perform a feasibility study or appoint an\n                                  independent software quality assurance representative to\n                                  oversee the project. As a result, the proposed solution for\n                                  Facilities Database may not meet all the established\n                                  business needs.\n\n                                  The objective of this audit was to evaluate the Postal\n                                  Service\'s Facilities Database development effort in the final\n                                  stages of the concept phase in the systems development life\n                                  cycle. Specifically, we determined if Postal Service\n                                  management followed sound systems development life cycle\n                                  processes, systems development life cycle methodologies\n                                  produced key deliverables, and key security features were\n                                  included during systems development. Audit fieldwork was\n                                  conducted from September through October 2001.\n\n\n\n\n                                                        m\n\x0cFacilities Database Application                                                                      EM-AR-02-003\n Development Review\n\n\n\n\n Independent Quality               Program management did not appoint an independent\n Assurance                         software quality assurance representative.^ Further,\n Representative                    program managers did not institute an alternate system of\n                                   controls to ensure the functions of an independent quality\n                                   assurance representative were accomplished. For example,\n                                   program management did not ensure a software quality\n                                   assurance plan was developed, an independent review of\n                                   software development life cycle activities was conducted to\n                                   ensure process compliance, or key deliverables were\n                                   identified for review by an independent party.\n\n\n\n\n^ The software quality assurance representative independently facilitates the development of defect free\nproducts that meet all requirements and are delivered on time at the lowest possible cost\n\x0cFacilities Database Application                                                      EM-AR-02-003\n Development Review\n\n\n\n                                  The primary purpose of an independent software quality\n                                  assurance representative is to facilitate the development of\n                                  defect-free products that meet all requirements and are\n                                  delivered on time at the lowest possible cost. The Postal\n                                  Service Software Process Standards and Procedures\n                                  guideline recommends that at project initiation an\n                                  independent software quality assurance representative\n                                  should be appointed to each project.\n\n                                  This appointment did not take place because program\n                                  management did not follow existing Postal Service policies\n                                  and guidelines or establish an alternate system of controls.\n                                  As a result, program management cannot ensure that the\n                                  development process was appropriately monitored,\n                                  established standards were followed, and system\n                                  inadequacies were brought to management\'s attention.\n\n Recommendation                   We recommend the senior vice president, chief technology\n                                  officer, ensure:\n\n                                     2. Independent software quality assurance functions are\n                                        performed throughout the Facilities Database project.\n\n Management\'s                     Management agreed with our recommendation and will take\n Comments                         corrective action by adding a software quality assurance\n                                  representative to the project team in Quarter 3, FY 2002.\n\n Evaluation of                    Management\'s planned actions are responsive to our\n Management\'s                     recommendation.\n Comments\n\x0cFacilities Database Application                                                                       EM-AR-02-003\n Development Review\n\n\n\n Key Deliverable                   Program management did not ensure that all key\n                                   deliverables were produced during the concept phase.\n                                   Specifically, a cost benefit analysis, a key selection criteria\n                                   for evaluating alternative solutions, was not accomplished.\n                                   Further, program management did not conduct an alternate\n                                   study to identify or evaluate costs and benefits of all possible\n                                   solutions against predetermined criteria.\n\n                                   To properly manage and initiate a major program, resource\n                                   cost estimates should help define the relationship with\n                                   corporate direction, designing and testing the concept;\n                                   implementing the program; and tracking, reviewing, and\n                                   archiving program completion. The Postal Service Program\n                                   Management Process auidelines. dated September 1999,\n                                   recommends the program manager, with the assistance of\n                                   Purchasing and Materials and Finance, and other subject\n                                   matter experts, develop an approximation of the costs of the\n                                   resources needed to complete program activities.\n\n                                   Further, the Postal Service Software Process Standards and\n                                   Procedures, dated March 1995, recommends the cost\n                                   estimate include costs from all information systems\n                                   supporting organizations for the entire project and be\n                                   prepared in conjunction with the feasibility study.\n\n                                   The cost benefit analysis was not prepared because the\n                                   program manager believed the cost benefit analysis was\n                                   part of the Decision Analysis Report^ process that is\n                                   prepared at the end of the concept phase. However, Postal\n                                   Service policies recommend the cost benefit analysis be\n                                   prepared at an earlier stage in the project.\n\n                                   As a result, the Postal Service has no assurance the\n                                   benefits of the Facilities Database effort outweigh the costs\n                                   of developing a new system or detriments of remaining with\n                                   the existing systems which do not completely meet the\n                                   Postal Service needs. In addition, the Postal Service may\n                                   have unnecessarily spent time and money on a solution that\n                                   is not cost beneficial.\n\n\n\n\n ** The Decision Analysts Report is a document developed by the requiring organization to justify a project\n investment and to assist the approval authorities in making decisions concerning the use of Postal Service\n funds.\n\x0cFacilities Database Application                                                     EM-AR-02-003\n Development Review\n\n\n\n Recommendation                   We recommend the senior vice president, chief technology\n                                  officer:\n\n                                     3. Complete the cost benefit analysis prior to moving\n                                        fonward with a request for funding.\n\n Management\'s                     Management agreed with our recommendation and will take\n Comments                         corrective action by including a cost benefits analysis with\n                                  the funding request scheduled for Quarler 4, FY 2002.\n\n Evaluation of                    Management\'s planned actions are responsive to our\n Management\'s                     recommendation.\n Comments\n\x0cFacilities Database Application                                                    EM-AR-02-003\n Development Review\n\n\n\n\n                             APPENDIX A.        GLOSSARY\n\n\nTerm                        Description\n\nAssessment Report           The assessment report was conducted to analyze the current\n                            facilities database environment.\n\nDecision Analysis           The Decision Analysis Report is a document developed by the\nReport                      requiring organization to justify a project investment and to assist\n                            the approval authorities in making decisions concerning the use of\n                            Postal Service funds.\n\nCommercial of the            Software available through lease or purchase in the commercial\nShelf Software               market from an organization representing itself to have ownership\n                             of marketing rights in the software.\n\nSoftware Quality            The software quality assurance representative independently\nAssurance                   facilitates the development of defect free products that meet all\nRepresentative              requirements and are delivered on time at the lowest possible cost.\n\nSystems                      A systems development life cycle is a logical process by which\nDevelopment Life             systems analysts, software engineers, programmers, and end\nCycle                        users build information systems and computer applications to solve\n                             business problems and needs.\n\x0cFacilities Database Application                                                                                      EM-AR-02-003\n Development Review\n\n\n               APPENDIX B. MANAGEMENT\'S COMMENTS\n\n               O w n r a E ft\xc2\xbbMr,\n               0 \xc2\xab r TroMnoar Cmcm\n               SrHon Mcc ncanruT\n\n\n               POSIALSBnnCF\n\n\n\n\n                M i t v h 11,3009\n\n\n\n\n                MS. EOSALL\n\n                SUBJECT:            Msnosement H n p o n M to Draft Audll RspOft\xe2\x80\x94FaciUtiw OaUitMM Application\n                                    Dewlapmenl Rsvlaw (Rapod Numbor EM-An-02-DRAFT)\n\n\n                Thti provhtos Iho manaoement fesponse to the Oltica of Inipflctor OarwrBl (OlG) d t M audi\n                report on flra Faclttuot Databaae Appljcation Development Review. Tl*e purpoee ol tha review\n                wan to ooiennina n ay\xc2\xabtams OBvatopmam u n cyda procatsea ware tottowed, nay daltwenDlas\n                Mwra pn>due\xc2\xabd, and key aacivity taaiuraa were kwhjbad dunng ayaUma Onatopmant. W a are\n                ploaiod thai ihs ravloi* imramlmd no high-laval ra^ulr\xc2\xabmanii dofinhion w aaourity dslioiDrwJiN and\n                wn am iwtdriuMino thn mraHfMTMndations lalatad la tti* (wuMEty tludy. aoftwiara qiallty\n                usuranca raprasentathw and ooal benoTtto analyaii.\n\n                The attachad InhMTnetbn is dastlfied aa ^satrKratf* and ihould be arampi trom diaclosva u i d v\n                ttw Fnwdom of informatton A c t\n\n                tl vou turva any queationa regarding our raaponaa and you would Gk\xc2\xab to diacuas iham tuithar,\n                       I cuaoot tho i r a u d i ooordinolor, KalMaan Gobor a\\ (20Z) 2Se-fll&6.\n\n\n\n\n                       Robert L O n o\n                       Jamei W. Bule\n                       Jetlrey L Freeman\n                       James L. OoUen\n                       Jo^:\xc2\xab Hansen\n\n\n\n\n                W H W X O . DC KCBCMJUO\n\n                r w M l MB M M\n                m^iM^.i^                                nastrtcted InloffnaiiM\n\x0cFacilities Database Application                                                                                                                   EM-AR-02-003\n Development Review\n\n\n\n\n               PMltttlaa D o l a h u * AppUasHon Dttyatopmont Rairtow\n               Managafwani Raeponee Harch 11,2009\n\n\n\n               n f f f l p i p a n d a H o n l ; Cofflplata a faoalbUtty tiudy on HieFaclUtlaa D a t a b M e prior to\n               o b t a h l n g f u n d b t o apprevaL\n\n               Hampom*-. W a agree Vwi a lom^a) faaalbtSty atudy doea not axiat: trawmar, wa ( M l ttiat tlw\n               combknticn of two pravioui task ordtr efforta, AsMastnent (3 defivaraUw} artd Ccnoapiimt\n               Design (B doiivwaMes): hava garwratad data sutllclanl to complete a lomufized laaaibilty study.\n               The audit roport (uitlier atatoa that a Commaniiai Ofl-The-Shair S c A w v a padtaga aolutlon "was\n               not tulty evaluated.\' Dalherabia * 5 , "Facilttlsa Datsbasa COTS R u a a r c h * dated Fetvuaty 12,\n               2001. e w h a l a a the stranotha and waakrwaiaa of COTS ulutlona, eaUefying ttua r w ^ r e m M t\n               W B will ognipMa a tonnal teasibdity aludy prior to obtairung lurtding approval.\n\n               Sdwdule: Quaner 3, FV 2002\n\n               Rsaponanrie Executive: JelTFraaman\n\n\n               B S S f i l D Q t f U t B d s n l : Enetire bidapeoilenl eottware eaaufanc* h i n d i o n a are partonnBd\n               throughout the FecUIUee Database p r e l K i -\n\n               Reepona*; We a g r M . W a wO add a Sottwera Qualhy AMurartce repr\xc2\xab\xc2\xbb\xc2\xabniath\xc2\xab lo Via pmlool\n               tsam upon the kiHiatlon ol Uta next phase Ol work.\n\n               Sct\xc2\xab\xc2\xab]tie: Ouarter 3. FY 2002\n\n                ResponslPla Executive: Jail Freeman\n\n\n               Hacommaiwiattow \\ . C o n p l a t a tha boat t w r a l t t a analyala. prtor t o m m t n g f o r w a r d w i t h a\n                    tffir funding.\n\n                Reapona*: Waaflrae. The audt report stated that ThaootlbeneDlanalyals bo praparad at an\n                oaiftar etaOe in tha prejact.\' Tha audri rsport furttMr qiMitea the USPS Program Managemant\n                PTQoenQuUQthaslPMPG), \' . . . 4 e w t a p a n \xc2\xab p p n i x l m a i l c i n o l \xc2\xab w o o i U o l t h e f M o u r c a \xc2\xab f > e a c M\n                to complate prosrain acttvWes,* and ttta atectronlc Sottwara Prooaea Standatda ft Prooadurea\n                (eSPSP).\'\xe2\x80\x94itw ooat aatknala Inoljde all ooeis from all intomiatlon syatams auppomng\n                organlzattons tor tha entire pn]jact.- W e teal the raquiremenli a d d m s e d by the PlylPO and the\n                a C r e r ware aailafwd wrih (MhreraUe ae, Hign L O W I Plan, wtilon pravldoo tha M a t wUmatoa fcr\n                the antire pni)o\xc2\xabL The raqueci Mr ttnHng (or the rwxi pnasa wni irutuda boin an \xc2\xbb t > n a i > ol o o t t i\n                andtneb^nettts.\n\n                Schedule: Ouvtar 4, FY 201^\n\n                HesponslPt* EiecuUvD: Jell Freeman\n\n\n\n\n                                                                 Haatncted inronnalion\n\x0c'